# Configure Scan Settings for External Assessment

### Authentication Mode

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2FBObUspj3zvKgvoAQxzuP%2Fimage.png?alt=media&#x26;token=144e4326-4888-4ff5-95fb-c981bf3de5e0" alt=""><figcaption></figcaption></figure>

Authentication Mode determines whether the scan runs with or without user authentication. You can select one or both modes to run comprehensive scans.

**Unauthenticated**

* This mode runs scans without requiring any logged-in user session.
* Scans public-facing pages that don't require login.
* The system won’t utilize any browser session during the scan.
* Ideal for identifying public endpoints, testing vulnerabilities that don’t require authentication, or mapping out public attack surfaces

**Authenticated**

* In this mode, scans are conducted using logged-in user sessions.
* Scans pages and features that require authentication.
* Uses browser sessions you've configured to access protected areas.
* Ideal for testing authenticated features, role-based access controls, or user-specific functionality.

{% hint style="info" %}
**Note:** If you select Authenticated mode, you must also configure at least one browser session.
{% endhint %}

***

### Browser Sessions

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2FtOlc7wtbfOkvpQZDTJfS%2Fimage.png?alt=media&#x26;token=8692a3bc-84ca-44f7-a198-7781fcb78c88" alt=""><figcaption></figcaption></figure>

Browser sessions store information (cookies, local storage, session storage) that represents a specific user role or permission level in the application. The scan uses it to behave like a real authenticated user.

#### Selecting Existing Browser Sessions

1. After selecting **Authenticated** mode, a **Browser Sessions** dropdown will appear.
2. Click the dropdown to see all available browser sessions for the selected domain.
3. You can select multiple browser sessions - each will run a separate authenticated assessment.

#### Import Browser Session

The Import Browser Session feature allows you to create new browser sessions either by recording them live or importing them from a file.

When **Authenticated** Mode is selected, you’ll see a **Browser Session** Section with an **Import Browser Session** button. This opens a modal with two options:

* **Record**
* **Import (Legacy)**

#### Option 1: Record (Recommended)

Opens a browser window on your configured **SANDBOX** agent where you can manually navigate through the website and record your session. This captures cookies, storage, and browser actions automatically. This also helps Pentest Copilot understand more information about the domain which will improve the quality of the assessment.

{% content-ref url="recording-browser-session" %}
[recording-browser-session](https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan/recording-browser-session)
{% endcontent-ref %}

#### Option 2: Import (Legacy)

Allows you to upload a browser session JSON file or paste a browser session that was exported using the Pentest Copilot Browser Session Exporter browser extension.

{% content-ref url="importing-browser-session-legacy" %}
[importing-browser-session-legacy](https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan/importing-browser-session-legacy)
{% endcontent-ref %}

#### Validating Browser Session

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2F4I2CQNROQ0u3rRSQfDjP%2Fimage.png?alt=media&#x26;token=486868a3-8e76-4262-a02f-589e5c9f980b" alt=""><figcaption></figcaption></figure>

After a browser session is created, it is essential to validate whether the session can be reliably replicated. This validation also helps identify edge cases where applying the session state may fail.

The guide below outlines the recommended steps to validate browser sessions before initiating any scans.

{% content-ref url="recording-browser-session" %}
[recording-browser-session](https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan/recording-browser-session)
{% endcontent-ref %}

***

### Scan specific hyper parameters

Below are the options available to tune the scan further

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2FUBWSRj2GjqkRUUmmxRV0%2Fimage.png?alt=media&#x26;token=c43638b9-21b7-4c29-adaf-fa88c78ce0f7" alt=""><figcaption></figcaption></figure>

### Rate Limit

Controls how many HTTP requests the scanner makes per second. This helps prevent overwhelming target servers and avoids triggering rate limiting or blocking.

***

### Ignore 404 Check

When enabled, the system will keep webpages that might be 404 (not found) error pages instead of automatically filtering them out.

**Default behaviour**: By default, the system automatically detects and filters out pages that look like 404 error pages. This helps focus on real, accessible content.

**When to enable&#x20;*****Ignore 404 Check*****:**

* The site uses custom error pages that accidentally match real pages.
* You are testing a site with unusual routing where many valid pages look similar.
* You want to analyse 404 pages for information disclosure
* The target site has custom 404 pages that might contain useful information

***

### Fail Module on Invalid Session

When enabled, the module will immediately fail if the browser session becomes invalid (expired or logged out) during scanning, without attempting to continue or regenerate the session.

**Default Behaviour:** By default, if a session becomes invalid, the system may attempt to regenerate the session and continue the assessment.

**When to Enable:** Enable this option if you want the scan to stop immediately when the browser session is invalid, without regeneration attempts.

***

### Skip Browser Session Validation

When enabled, the system skips validation checks that verify browser sessions are still valid before starting jobs. This can speed up scans but may result in failures if sessions are invalid.

**Default Behaviour:** By default, the system validates browser sessions before running jobs to ensure they're still active and valid.

**When to Enable:** Skips pre-run checks that validate the browser session before jobs start.

{% hint style="info" %}
**Note:** This option only appears when **Authenticated** mode is selected.
{% endhint %}

***

### Use Residential IP

When enabled, all browser traffic generated during the scan is routed through a residential proxy IP address instead of your server's IP. This is enabled by default for all scans.

<figure><img src="https://232193438-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwolEZzMm5QD9NoFKutSj%2Fuploads%2FtRTq1f0uVzLKtoofgXOM%2Fimage.png?alt=media&#x26;token=71b6fc67-a2db-460a-87f5-b0298790e957" alt=""><figcaption></figcaption></figure>

#### Why Use a Residential IP?

Many modern web applications employ bot detection and IP reputation services (e.g., Cloudflare, Akamai, DataDome) that can detect and block traffic originating from cloud or datacenter IP addresses. Since Pentest Copilot runs on cloud infrastructure, your server's IP may be flagged as non-human traffic leading to CAPTCHAs, rate limiting, or outright blocking during a scan.

Residential IPs are IP addresses registered to real Internet Service Providers (ISPs). They appear as regular consumer internet connections, making your scan traffic indistinguishable from a real user browsing the target application.

#### How It Works

* Each module run is assigned a **dedicated static residential IP** from a pool of available proxy ports.
* The same IP is used for the **entire duration** of the module run — even if it runs for 48-72+ hours. There is no session timeout or forced IP rotation.
* Different modules running concurrently receive **different IPs**, so scan traffic is distributed across multiple residential addresses.

#### When to Use It

| Scenario                                         | Recommendation                                           |
| ------------------------------------------------ | -------------------------------------------------------- |
| Target has bot detection (Cloudflare, WAF, etc.) | **Enable** (default)                                     |
| Target is on an internal network or localhost    | Disable — residential proxy cannot reach internal hosts  |
| Target whitelists your server IP                 | Can disable if preferred, but residential IP still works |

#### Browser Session Recording

The **Use Residential IP** option is also available when recording browser sessions. If your target blocks the sandbox agent's IP during session recording, enable this option on the recording modal to route the browser through a residential IP.

### Force Separate Driver

When enabled, this option runs each test using a separate Chrome browser instance instead of opening multiple tabs within a single browser window.

**Default Behavior:**\
By default, Pentest Copilot uses a single Chrome browser and executes tests in parallel by opening multiple tabs within that browser.

**When to Enable:**\
Enable this option if the target application cannot reliably maintain session state across multiple tabs for example, when opening the same application in different tabs causes session collisions, forced logouts, overwritten state, or other interference between tests.

**Why Use It:**\
Using separate browser instances ensures full isolation between test flows, preventing shared session, cookie, or storage conflicts that may lead to false negatives or unstable scan results.

***

### Custom Headers

Allows you to add custom HTTP headers that will be sent with every request during scanning. This is useful for adding API keys, custom authentication tokens, or other headers required by the target application.

***

### Manual Crawler

Manual Crawler allows you to manually navigate through a website and create trajectories (sequences of actions) that can be tested and replayed. This is useful for creating specific test scenarios or exploring complex user flows.&#x20;

{% content-ref url="manual-crawler" %}
[manual-crawler](https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan/manual-crawler)
{% endcontent-ref %}

***

### Attack Vectors

Attack vectors (also called Focus Categories) allow you to specify which types of vulnerabilities to prioritise during scanning. This helps focus the scan on areas most relevant to your security testing goals.

#### Available Attack Vectors

The available attack vectors depend on your system configuration. Common categories include:

* **Authentication Issues**
* **Authorization Problems**
* **Input Validation**
* **SQL Injection**
* **XSS (Cross-Site Scripting)**
* **CSRF (Cross-Site Request Forgery)**
* **File Upload Vulnerabilities**
* **API Security Issues**
* And more...